Recently, virus infected e-mails with file names etc. which are disguised as normal have been used to target specific parties for infection in so-called “spear type virus” attacks. These have frequently infected businesses, government offices, foreign legations, etc. By just opening a file which is attached to the e-mail, while on the surface, nothing changes, inside the computer, malicious software is executed and confidential information is leaked to the outside, remote operation from the outside is enabled, Trojan horse type infection is caused, computer functions and operations are halted, and, furthermore, depending on the infected party, electricity, water, or other public services are cut, computer functions are stopped, and various other situations are liable to occur. The technique of sending e-mails containing virus programs using file names etc. which are disguised as normal and are addressed to specific infected parties can be said to be “classic”, but it is easy to utilize an unknown virus. To protect against infection by such a virus program, which is difficult to detect by existing antivirus tests, the only effective means is for the e-mail user to be careful. Damage by such e-mails which carry virus programs will probably continue occurring in the future as well.
Further, Trojan horse type computer viruses which open a backdoor for enabling remote operation to take over a computer do not have to specify the target and are high in frequency of appearance, so are hard to detect by virus removal software. Further, once a computer ends up being taken over, that computer can be utilized for the hacker's own purposes, so infection from not only e-mail, but also homepages frequently occurs.
As a technique for removing e-mails which contain general virus programs, for example, there is the technique of comparing an e-mail which is received at a POP server against a pattern file by virus removal software and, when a virus is discovered, performing an operation to remove it before or after the e-mail reaches the client. In this method, the pattern file contains information on past viruses and patterns of behavior (definition files). The method compares the pattern file against a suspicious file and judges there is a virus when the contents match or are similar, so deals with general viruses characterized by the same data names etc. When containing a file name which is disguised as normal so as to infect a specific party or a pattern which is unknown to the pattern file, detection is almost impossible. Further, at the present, there are reports of unknown viruses appearing every several seconds. This makes protection by more generalized antivirus software difficult.
Japanese Unexamined Patent Publication (Kokai) No. 2005-157598 describes the technique of separating an attached file and text, then converting the configuration data of the attached file to data of a safe format, forming a file which is configured by this converted data, and using the text of the e-mail which is previously sent to the user and a key for opening the attached file to open a safe attached file. Further, Japanese Unexamined Patent Publication (Kokai) No. 2004-38273 describes a system which constructs a virtual host, executes the file, and prevents virus infection while running a virus test.
To use these techniques to discern an e-mail which appears normal but contains a virus, it is necessary to check all attached files, time and trouble are taken for ensuring security, and otherwise the load on the side managing the mail server becomes greater. No simple solution has yet been achieved. In the final analysis, the classic attack using an e-mail which is disguised as normal can presently only be prevented by checking the e-mail without opening the file and then deleting it or by moving it to another recording medium etc. and using virus check software to check for a virus.
When virus mail proliferates and infects a large number of poorly maintained servers, attack packets etc. are sent to specific web servers in a limited time and destabilize operations of the computer systems thereby inflict commercial damage.
Here, a DOS attack or DDOS attack which sends a flood of attack packets to specific WEB servers can be prevented by filtering functions which is provided at firewalls. As the filtering functions which can be used, there are static filtering, dynamic filtering, stateful inspection, tests of applications and data, etc.
However, when using the above filtering functions, the destination IP address, origin IP address, protocol no., destination port no., origin port no., etc. have to be registered in advance. Further, servers which do not match this information cannot be protected by the filtering effect. The related operations (for example, Internet→LAN→origin port no. 80 and/or origin IP address . . . , destination port no . . . , destination IP address . . . ) have had to be dynamically registered in advance. However, when allowing passage of packets which comply with the related operations in this way, again, registration in advance is necessary
Furthermore, such countermeasures are not necessarily effective against disguised packets.